from the making-citizens-pay-for-the-government's-sins dept

A 19-year-old Canadian is being criminally-charged for accessing a website. The Nova Scotian government's Freedom of Information portal (FOIPOP) served up documents it shouldn't have and now prosecutors are thinking about adding charges on top of the ten-year sentence the teen could already be facing. (via Databreaches.net)

Even once the government learned of the breach, it waited until Wednesday to begin notifying affected people. Arab said they held off notifying people was because police suggested it would help them in their investigation.

Seems logical, except…

But [Halifax Police Superintendent Jim] Perrin told reporters police did not make that request. He could not say if advising people would have compromised the investigation. The province's protocols for a privacy breach state it is supposed to inform people as soon as possible, unless otherwise instructed by law enforcement.

The suspect obtained 7,000 documents from the Freedom of Information portal. Apparently around 250 of those contained unredacted personal information. Here's how the government portrayed the supposed hacking:

Government officials said someone got in by "exploiting a vulnerability in the system." The person wrote a script allowing them to alter the website's URL, which then granted access to the personal information.

Internal Services found more than 7,000 PDF documents had been downloaded by a "non-authorized user" in early March. They filed a complaint with police on Saturday.

Document number 1235 is stored at https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=1235.

Guess where document 1236 is stored? This is not a new problem. In fact, it was recognized over a decade ago as one of the top ten issues affecting web application security. All [the "hacker'] had to do is add.

All this "hacker" did was automate the retrieval of published documents from the government's FOI portal. That's it. This wasn't an attempt to access personal info. That problem lies with the government, which did not properly secure documents it hadn't redacted yet. As D'Etremont points out, plenty of other government websites use the same software for document access. (Searching "inurl:attachmentRSN"will bring up a handful of government websites, including Nova Scotia's temporarily disabled FOI portal).

But other sites have taken care to wall off publicly-available documents from others they're not prepared to make public by using a PublicPortal subfolder. Nova Scotia's site apparently did not, hence the teen's ability to access unredacted documents. This isn't evidence of fraudulent access or malicious hacking. This is evidence of government carelessness.

The question remains, was the access fraudulent?

Remember what I said about the other installations being called “PublicPortal”? And how 6750 of the 7000 records were public anyways, and how this system is literally designed for facilitating “access to information?” Looking at it further, there are no authentication mechanisms, no password protection, no access restrictions. It’s very clear that the software is intended to serve as a public repository of documents.

It’s also very clear that there at least 250 documents improperly stored there by the province. Documents that the province had a responsibility to protect, and failed.

This wasn't a criminal act. This was simply efficient harvesting of publicly-available documents. If some documents weren't supposed to be publicly-available, the blame lies with the government for failing to secure them. The fact that the government decided to get police involved gives this the ugly appearance of scapegoating. This is an embarrassed government body trying to turn its mistake into the malicious works of teen hacker.

It would be very surprising to see these charges stick. The URLs -- and the documents they held -- were publicly-accessible. But if they do stick -- and the Halifax PD has stated it may add more charges -- it will be due to the Nova Scotia government's unwillingness to take responsibility for its own carelessness.

from the back-to-the-legislative-drawing-board dept

Nova Scotia's horrible cyberbullying law -- with its broad definitions of bullying, lack of due process and a wholly ex parte accusation process -- emerged from the suicide of a teenage girl. Like many laws written in the wake of a tragedy, it was a hodgepodge of good intentions bundled in "do something" legislating. The resulting statute was terrible and destined for abuse.

A Canadian court first challenged the law in April 2015, nearly two years after it passed. The law, written with a bullied teenager in mind, was now being used by adults as a proxy for a defamation lawsuit, with the plaintiff likely figuring the broad language would result in a more favorable decision.

The court, however, wasn't interested in using a bad law for worse ends. It revoked an order issued under the statute and stated the element of actual malice needed to be factored into decisions under the legislation. This element freed otherwise uninvolved third parties (like ISPs) from being implicated simply because their services were used in the commission of cyberbullying and at least provided some form of defense against ex parte accusations.

"The act must be struck down in its entirety. The attorney general has not persuaded me that a temporary suspension is warranted," McDougall wrote.

"To temporarily suspend the declaration of validity would be to condone further infringements of charter-protected rights and freedoms."

So, no one-year grace period to fix the law. Legislators will need to start from the ground up, a situation apparently uncommon when the courts find laws objectionable. This gives more credence to those who called the law out two years ago for its ability to turn everyone into a "cyberbully."

A stat included in one report, which was possibly supposed to indicate the law's worthiness, instead seems to imply the anti-cyberbullying legislation was overkill.

That means the CyberSCAN unit at the provincial Department of Justice — created to investigate allegations of cyberbullying under the law — will stop working on 35 cases and shift its focus to public education and awareness.

A department spokesperson told CBC News that in the last two years, they worked on 800 complaints, with many of the cases involving harassing photos or bullying comments that were removed or stopped without the involvement of police.

The cases that have ended up in court seem to be the result of plaintiffs looking to avoid the more rigorous demands of defamation lawsuits by using ex parte accusations and the resulting court orders to block the accused from making further derogatory statements.

The Justice Department issued a statement saying an independent review of the Parsons’ case by a former Ontario chief prosecutor found the law was a “novel and directly responsive solution” to address cyberbullying.

“The intent of the legislation is good, and had all-party support when it was passed,” it added.

Well, maybe both parties can put together something better for version 2.0, now that there's time, distance and hindsight available to help guide them towards better legislation.

from the one-of-the-many-problems-with-emotionally-charged-laws dept

Nova Scotia's supremely awful cyberbullying law is finally receiving a much-needed tweak, but it took a trip to the Supreme Court to do it. (As noted by a commenter below, the Supreme Court is just Nova Scotia's first level of trial court, rather than the province's highest court.) The law's original wording was so broad it had the potential to "make bullies of us all," as MacLean's Jessie Brown put it when the law went into effect.

The law -- hastily pushed through the legislative system in response to a cyberbullying victim's suicide -- contained this passage, which was open-ended enough to criminalize all sorts of previously-protected speech:

…any electronic communication through the use of technology including, without limiting the generality of the foregoing, computers, other electronic devices, social networks, text messaging, instant messaging, websites and electronic mail, typically repeated or with continuing effect, that is intended or ought reasonably [to] be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person’s health, emotional well-being, self-esteem or reputation, and includes assisting or encouraging such communication in any way.

This definition of cyberbullying captures a wide range of communication, from the truly insidious statements calculated to cause fear and intimidation to statements that are simply embarrassing or somehow harmful to the recipient’s emotional well-being. The definition contains no requirement to show motive or intent, nor does it require that the communication be false or misleading. On a plain reading of it, true statements could be considered cyberbullying so long as they are repeated and are distressing or harmful to someone’s self-esteem. Moreover, and as it includes those who “assist” in such communications, the definition is also arguably broad enough to include those who publish the electronic communication, such as web hosts or internet service providers (ISPs).

Safeguards that are typically seen in defamation and harassment laws are completely missing from Nova Scotia's cyberbullying law -- which would explain why a person who felt himself a victim of defamation or harassment might take the easier route and use the badly-written cyberbullying law to shut down his "bully," instead. And that's true, even though much of what was said had not risen to the level of defamation, and much of what was contested occurred before the law went into effect.

The court examined the law and the protective order issued by a lower court justice of the peace and found both wanting. As for the law's wording itself, the Supreme Court found it too inclusive to be anywhere near reasonable and, in fact, a threat to normally protected speech. While the law is in place to address cyberbullying, the definition is vague enough to cover far more than internet communications. This has the potential to stymie news reporting through traditional channels, as well as cover "communications" never intended to be included in the cyberbullying law.

Both the ordinary meaning of “electronic” and the inclusive definition capture uses of electricity for communication that were common long before cyberspace (1984). Here are a few examples from the old days: cylinder phonograph records (1877); disc gramophone records (1894) including 78s (1898), long plays (1948), singles (1949), and extended plays (1952); studio cast recordings (1943 or before); broadcasting by way of commercial radio (1920s), commercial television (1928), walkie-talkie (1940), and citizens’ band (1948), and, of course; telegraph (1834) and telephone (1876), including fax (1964). All of these are within the definition of “electronic”, at least when it is read literally.

The Supreme Court continues, providing examples of how this badly-written law could be twisted to cover nearly every form of communication imaginable, so long as the communication itself causes "fear, intimidation or distress."

The first thing to note in the definition of cyberbullying is the disconnect between the ordinary meaning of the word and the literal definition. One who communicates electronically, whether it be by text message or telephone, and says something reasonably expected to cause fear, intimidation, humiliation, or distress is a cyberbully.

The next thing to note is the absence of conditions or qualifications ordinarily part of the meaning of bullying. Truth does not appear to matter. Motive does not appear to matter. Repetition or continuation might (“repeated or with continuing effect”) or might not (“typically”) matter. A neighbour who calls to warn that smoke is coming from your upstairs windows causes fear. A lawyer who sends a demand letter by fax or e-mail causes intimidation. I expect Bob Dylan caused humiliation to P. F. Sloan when he released “Positively 4th Street”, just as a local on-line newspaper causes humiliation when it reports that someone has been charged with a vile offence. Each is a cyberbully, according to the literal meaning of the definitions, no matter the good intentions of the neighbour, the just demand of the lawyer, or the truthfulness of Mr. Dylan or the newspaper.

As the court sees it, the law demands the inclusion of a motivation -- malice -- and yet, its hurried passage failed to include this key element. Adding in that factor goes against the lower court's finding justice of the peace's decision and nullifies the issued protective order.

The evidence does not malice as required, according to my interpretation, for a finding of cyberbullying after August 6, 2013. Firstly, the events after that date, except for the mikemacdonald1975@hushmail.com e-mail, are relatively mild. Secondly, the full correspondence between Mr. Baha’i and Mr. Fraser about removal, which Justice of the Peace Gass did not see, shows efforts by Mr. Baha’i, an unanswered request for suggestions, and statements of Mr. Fraser’s assessment of Mr. Baha’i’s liabilities closing the discussion. This correspondence is inconsistent with malice on Mr. Baha’i’s part.

[...]

Mr. Self chose his forum. It is one in which Mr. Baha’i is entitled to disclosure and discovery, to fully test the many allegations. Unlike Cyber-safety Act proceedings, it is one in which the parties can find out who is behindmikemacdonald1975@hushmail.com, rather than speculate. It is also a forum in which serious risk of defamatory repetition could be controlled by interim injunction, without the ex parte one-sidedness of the Cyber-safety Act. Despite this, the cyber protection order prevents Mr. Baha’i from communicating with the very person who is suing him.

The evidence satisfies me that malicious repetition by Mr. Baha’i is unlikely. Unlike Justice of the Peace Gass on the ex parte application, I have a full picture of the attempts to satisfy Mr. Fraser’s demands on behalf of Mr. Self. Whether he can force Mr. Baha’i to expunge what is not in his control, and whether he can recover damages against Mr. Baha’i for third party reproductions, risk of repetition by Mr. Baha’i is not in issue. Also, unlike the justice, I take into account that the Cyber-safety Act was not law when Mr. Baha’i was active on the present subject.

Summing up, the Supreme Court finds Nova Scotia's cyberbullying law -- as written -- to be a threat to protected speech.

In my assessment, the damage caused by the cyber protection order to Mr. Baha’i’s constitutional right to free speech and to his property right to use his own equipment outweighs the potential harm to Mr. Self if Mr. Baha’i is able to communicate freely. Justice requires that the order be revoked.

This fixes one of the major holes in the law, and restores much-needed protections for uninvolved third-parties (social media platforms, ISPs) who can't, by definition, show malice by hosting or transmitting communications made illegal by this law.

Unfortunately, it doesn't address another of its major flaws -- the wholly ex parte accusation process, which can result in severe penalties for the accused (loss of internet connection or access to electronic devices, gag orders, etc.) without being allowed to present their side of the issue in court.

Rape, assault, harassment: these are crimes with established parameters. All of them could also be called “bullying.” They could also be described as “mean,” and I suppose we could enact a law against being mean. But I’d rather have laws against specific crimes, rather than against vast swaths of vaguely defined human behaviour. Ultimately, bullying is in the eye of the bullied.

Here's where these laws fall apart. Instead of an objective standard, the accused are held to a subjective standard, one applied by the accuser and enforced by the law. Where most criminal activities are clearly defined by certain actions, cyberbullying (and regular bullying) have no clear definition.

The bill works this way: an accuser files a claim with the court, requesting a protection order against the accused. A judge decides whether the behavior detailed meets the definition of "cyberbullying" set by this law. The definition of cyerbullying is broad and vague, the end result of overly-cautious lawmakers addressing a problem with no clear boundaries and doing so under the self-imposed pressure of needing to "do something."

The definition of cyberbullying, in this particular bill, includes “any electronic communication” that ”ought reasonably be expected” to “humiliate” another person, or harm their “emotional well-being, self-esteem or reputation.”

If this is the standard, I don’t know a person who isn’t a cyberbully.

Here's what can happen to the accused should the judge grant the protection order. (This process, by the way, occurs without any input from the accused -- it's solely between the judge and accuser.)

The police can seize your computers and phone.

Your Internet connection can be shut off.

You can be ordered to stop using electronic devices entirely.

Your Internet Service Provider or Internet companies, such as Facebook, can be compelled to fork over all your data to the police.

You can be gagged by the court and prohibited from mentioning your accuser online.

If you violate any of these orders, you’ll face stiff fines and up to two years of jail time. At this point, your accuser can sue you in civil court.

So, the law basically makes it possible for anyone's unfortunate online comments to result in a civil suit or a prison sentence. The process isn't adversarial at any point where some input or context might make a difference. Presumably, the accused can defend themselves once in civil court, but that will only mitigate the damages without having any effect on previous criminal charges or punishments already enacted.

Even worse, the law opens up parents to be targeted by civil suits for the bullying activities of their children and pushes school administrators to enact zero-tolerance policies backed by mandatory suspensions for bullying behavior -- even if it occurs off-campus. While there's something to be said for forcing parents to take responsibilities for the actions of their children, in practice this becomes nothing more than presenting parents as a "soft target" for civil suits, allowing the accuser to bypass the accused entirely if success against the parents seems more promising.

Responding to a bullying incident by lowering the bar and raising the consequences is completely the wrong answer, no matter how tragic the incident. This new law has the potential to criminalize plenty of non-bullying activity and may actually encourage abuse by anyone who sees the possibilities provided by the law's unintended consequences -- an easy route to shut down and prosecute anyone who irritates them in any way.